Re: Iptables :: priority of rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Luc MAIGNAN wrote:

Hi all,

I don't understand how the priority of the rules of iptables is set.
My problem : I want to allow ssh from my local network(1), and from outside only for an IP(2) 

So i Wrote :

(1) : iptables -I INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT
(2) : iptables -I INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP
The result is that I can ssh only from the ousided IP, not from local network. If I switch the two rules, the result is the same. 

Can anyone help me to understand ?

BR

There is a list of rules in the kernel.  An arriving packet is
matched against the list IN THE ORDER OF THE LIST; the first
ACCEPT or DROP rule that matches will determine the fate of
the packet.

The "-I" option of iptables puts a rule at the BEGINNING of the
list; the "-A" option puts a rule at the end of the list.

Since you used "-I" in both of your iptables invocations,
the second rule gets inserted at the beginning of the list
ahead of the first rule, and therefore
you created a rule list with the rules in the order:

   match -s ! x.x.x.x  action DROP
   match -s 192.168.0.0/24  action ACCEPT

If a packet happens to match both of those rules, the first one
would take effect.

I suppose you could have changed the "-I" to "-A" to
put the rules in at the end of the list in the order

   match -s 192.168.0.0/24  action ACCEPT
   match -s ! x.x.x.x  action DROP

HOWEVER, you didn't say whether there were other rules in
the list already.  For example, the default Redhat firewall
would already have a rule in the INPUT list (I know, the
implementer calls the lists "chains") that matches all
packets, so your rules would then not be effective.

Your quickest fix is just to interchange the order of your
two iptables invocations and leave the "-I".  This would be

iptables -I INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP
iptables -I INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT

This would first insert the x.x.x.x rule into the INPUT list,
and then insert the 192.168.0.0 into the INPUT rule ahead of
the x.x.x.x rule.  I know that is counter-intuitive, but that's
the way it actually works.
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux